2 INTRODUCTION Companies in today s economic environment are all facing the age-old business conundrum: how can we do more with less? To help improve capacity but drive down costs, organizations are increasingly turning to cloud-based technologies. Cloud-based Enterprise Resource Planning (ERP) can be deployed quickly, minimizes the initial investment, reduces the Total Cost of Ownership (TCO) and offers seamless upgrades. Although many CEOs, CFOs, CIOs and key stakeholders look to cloud computing to help realize tremendous savings, there are concerns about cloud-based data solutions. In the age of cyber attacks and the seemingly ever-growing list of online security threats, senior executives worry about the safety of their cloud-based information. Physical location, data transmission, access security and disaster recovery represent the four top-of-mind security concerns. This white paper will look at some of the key aspects of cloud security and examine some of the myths and misconceptions. Research also shows that while senior executives are apprehensive about cloudbased security, only a small percentage conduct due diligence on their providers. This white paper also includes a checklist of 10 questions that SMBs, mid-market companies and large organizations should ask their potential providers.

3 THE RISE OF CLOUD COMPUTING A 2011 survey by CDW found that 28% of US-based organizations are using cloud computing today, and 73% of those organizations took their first step by implementing a single cloud application. Interestingly, the vast majority of the survey respondents (84%) say they have already employed at least one cloud application. So, in essence, there are a lot of first steps being taken, and wider cloud adoption is foreseeable. There s no doubt the cloud is garnering attention as companies cautiously explore cloud applications. According to an April 2011 Forrester Research report titled Sizing the Cloud the global cloud computing market is estimated to reach $241 billion in Yet, despite the rise of cloud computing, there are a number of misconceptions floating around, with security at the top of the list. Top 5 Cloud ERP Misconceptions 1. With a cloud ERP solution, our data isn t as secure as it is onsite. 2. Cloud ERP solutions provide only basic ERP functionality. 3. Cloud ERP solutions can t be customized. 4. It s difficult to integrate cloud ERP systems with other systems. 5. If the Internet goes down, the business goes down. As companies transition from low-risk testing the waters to taking the plunge with cloud ERP for more mission-critical functions like Finance and Accounting, the issue of cloud security is inevitable. The question most often asked is, Just how secure is our data? It s a legitimate question. It was only a few short years ago that cloudbased ERP systems were the exception rather than the norm for most companies. The idea of not having all data, infrastructure, software and hardware on-site was new, intriguing and fraught with concerns. Entrusting private business data and applications to an outside hosting service made (and continues to make) some organizations uncomfortable.

4 Despite the cloud s shift into the mainstream, security and compliance still top the list of apprehensions inhibiting cloud adoption. Some of this apprehension is caused in part by confusion around a lack of industry standards; expectations and definitions of security can vary from industry to industry. Different regions and countries are subject to different data protection policies and legislation that could compromise data privacy. Companies need to conduct due diligence on their prospective cloud providers. Data security and privacy issues are very real concerns no matter whether SMBs implement a cloud ERP solution or on-premise ERP. Both require knowledge of data: which data is sensitive, the degree of sensitivity and the protocols required to protect it. Yet, the pervasive myth that cloud-based ERP simply isn t as secure as on-premise solutions continues to linger. The myth persists based on four misconceptions about the security of physical location, transmission, access security, and disaster security. PHYSICAL LOCATION The Misconception: A cloud-based solution is nebulous and can t be secured. The Reality Cloud computing is new, unknown and eyed suspiciously. It has the appearance of being risky because you cannot secure its perimeter where are a cloud s boundaries? A May 2010 study by the Ponemon Institute found that IT professionals believed security risks were more difficult to curtail in the cloud, including securing the physical location of data assets and restricting privileged user access to sensitive data. Yet, as CIO Magazine pointed out:

5 respondents only gave the on-premise alternative a 56% positive rating! In other words, nearly half the respondents believe that their own internal data centers do not do a good job of securing the physical environments of their data centers. 1 The reality is that often on-premise ERP security does not measure up to the same standards as a world-class data state-of-the-art facility. An ideal data center should be secure, free of windows, and built with cement or steel fortifications with 24/7 on-site security. Most SMB IT departments reside in a department or on a floor of commercial buildings and office towers, which rarely have these conditions. In comparison, MAXCloud data centers are housed in multi-million dollar facilities with building fortifications. The main data center is housed underground in a facility that is designed to withstand an 8.3 magnitude earthquake. The data centers also have 24/7/365 security, monitored by staff as well as security guards. TRANSMISSION Misconception: Cloud-based solutions are more vulnerable to hacking and other attacks. The Reality SMBs typically invest in hardware, software and applications to thwart specific security challenges: spam, security breaches, malware, noncompliance, and so forth. Unfortunately, many of these products have limited life cycles, are difficult to scale and, from a security point of view, often only produce single points of failure. Additionally, the latest technologies to scramble and encrypt data RSA, Secure Socket Layer (SSL), Data Encryption Standard (DES), or Triple DES, etc. can quickly drain SMB IT budgets. 1 Golden, Bernard. "Cloud Computing Security: IT's Take on State of Play." CIO Magazine. N.p., 17 May Web.

6 With traditional licensed ERP software, organizations typically must wait for the next release to benefit from the latest features, upgrades, or security patches. Sometimes limited resources can mean that upgrades aren t always deployed in a timely manner. In fact, twothirds of mid-size businesses are running outdated versions of their ERP software 2. This can leave these companies vulnerable. Under the SaaS (Software as a Service) delivery model that forms the basis of cloud ERP, the provider continuously and unobtrusively adds the latest features and upgrades, which means that users can be assured that they re actually using rather than waiting for the latest security technology. By their very nature, external applications like cloud-based technologies must adopt a trust no one approach. Layers of security controls, encryption of all sensitive data and security testing at the application level, as well as countless other safeguards are necessary for cloud security. A world-class cloud ERP provider will perform rigorous internal vulnerability scans, log threats, and are audited for SSAE 16 Type 2 compliance. Data is fully secured, both in transmission and at rest. For example, MAXCloud runs on a Microsoft Dynamics AX platform. It uses the RPC_C_AUTHN_LEVEL_PKT_PRIVACY call, which provides the highest security level available through a remote procedure call (RPC). There are no software or hardware purchases, and updates are seamless. ACCESS SECURITY 2 "Why Cloud Computing Matters to Finance," Ron Gill, CMA, CFM: Strategic Finance, January 2011.

7 The Misconception: An on-premise solution offers more security over who may access information. The Reality The myth that a cloud solution simply cannot be as secure as an onpremise solution has very much to do with the notion of seeing is believing. Often companies feel more in control of their data when it resides under their own roof. When ERP is on-site, it is the sole responsibility of the IT department to authenticate and log all access to data in order to prevent unwanted users, both internal and external, from accessing information or resources. Access security for on-premise ERP systems may be enforced through business logic or at the database layer. This authenticates users and provides them with specific rights to data objects. For example, a payroll clerk would only have access to payroll data, not customer records. A cloud-based ERP is no different. With MAXCloud, you control access to data throughout by managing security restrictions on forms, records and data fields for specific user groups and domains, and define and assign rights according to how you want security restrictions managed. Also, because MAXCloud is a single-tenant environment, there is no risk of data being inadvertently exposed to other users due to poor implementation of the access management process. While a secure cloud ERP system doesn t increase the vulnerability of your business data, authenticated users have anywhere, anytime, any device access, which is a tremendous advantage for global collaboration, monitoring and managing.

8 SECURITY FROM DISASTER Misconception: It s better to handle backups internally to be able to access data more quickly in case of a disaster. The Reality Companies must examine how often they back up data and where the backups are the stored. SMBs looking to third-party back-up systems and business continuity facilities must thoroughly examine the security standards that are in place. The truth of the matter is that SMBs need to invest in a rigorous program for data backups with offsite storage in a secure location separate from the main data center. Key questions to ask before choosing an external backup partner include: Does the third-party data recovery service abide by recognized security standards and compliance requirements? What happens if there is a power failure? How long will my data be kept? Cloud-based solutions like MAXCloud ensure full nightly backups, which are stored in an off-site location and are maintained for seven years. As well, the data centers have multiple power sources and redundant incoming lines provisioned in an N+1 configuration for continuous power. THE NEW REALITY OF CLOUD ERP SOLUTIONS Traditional and cloud ERP share many of the same security issues, from preventing unauthorized access to safe and secure backups. As the new kid on the block, cloud technology is unfamiliar and not fully trusted. SMBs that adopt a cloud-based ERP solution like MAXCloud find that security is actually improved. Unlike large enterprise companies, SMBs

9 usually don t have the high security infrastructure, processes or best practices knowledge readily on hand. In the case of cyber attacks, cyber espionage, malware, human error and disasters, cloud-based service providers have higher levels of security. Microsoft released research in May of 2012, that verified the significant IT security advantages from using the cloud. One of the most interesting facts to emerge from the survey was that "35 percent of US companies surveyed have experienced noticeably higher levels of security since moving to the cloud." 3 Security is always a top concern for companies, but it s time to put to cut through the fog, and bring a little clarity to the situation: Cloud ERP systems and the data they contain are as secure, if not more secure than traditional ERP systems. 3 Microsoft. News Center. Cloud Computing Security Benefits Dispel Adoption Barrier for Small to Midsize Businesses. 14 May Web.

10 SECURITY CHECKLIST CompTIA's 9th Annual Information Security Trends survey of U.S. executives with IT responsibilities reported that only 29% of organizations report conducting a heavy review of their cloud service provider's security policies, procedures and capabilities. SMBs must vet their cloud providers by conducting due diligence and asking for proof of physical audits and physical access controls. Here are 10 questions you can ask your provider. 1.) What is your privacy policy? Your potential solution provider should have a well-defined and clearly articulated privacy policy that spells out exactly who has access to various types of information. It should also describe the organization s standard operating policies and procedures for ensuring privacy. Your prospective vendor should voluntarily provide you with a copy of this policy information. 2.) What level of security do you use to ensure the safety and integrity of critical data? To safeguard your data onsite, your prospective solution provider should use a combination of intrusion detection system (IDS) and intrusion prevention system (IPS) products and apply antivirus at various network layers. It should also utilize deep packet inspection (DPI) or an application-level firewall technology that scans all levels of packet transmission. Finally, it should also use secure socket layer (SSL) or https-encrypted transmission to ensure Internet security. 3.) Is your production equipment housed in a state-of-the-art facility? Your prospective vendor s data center should be secure, free of windows, and built with cement or steel fortifications. It should also be located somewhere that is not prone to inclement weather.

11 4.) What are your facility s physical security arrangements? Are they in place 24 hours a day, seven days a week, and 365 days a year? Similar to its privacy policy, your potential hosted ERP solution provider should have well-defined and robust security arrangements that are in place at all times. 5.) Do you contract with an independent, third-party organization to conduct periodic external and internal vulnerability scans? In addition to maintaining an intrusion response system and a prepared response plan, your prospective solution provider should frequently commission both routine and unannounced security audits. 6.) How often do you back up data, and where are the backups stored? Your potential hosting provider should have in place a rigorous program of data backup and offsite storage in a secure location remote from its main data center. 7.) Do you offer full hardware redundancy to avoid the negative consequences of a power failure? Your prospective solution provider s data center and backup location should have redundant power supplies, such as battery and diesel generator backups, to avoid the negative consequences associated with a power failure. 8.) Does your staff include a highly qualified operations team that monitors the site 24 hours a day, 365 days a year? Your prospective vendor should have on staff many certified security experts, including those with the preferred CISSP designation. 9.) Is my data stored in a multi-tenant or single tenant environment? A multi-tenant cloud-based ERP is a set of pooled computing resources, shared among many different organizations (tenants). In short, various organizations share the same database. In a single tenant environment, customers operate with their own individual

12 database. It is our belief that an isolated single tenant environment best maximizes performance, security, privacy and integration. 10.) How safe is your data center in terms of natural disasters? Your potential provider should be prepared for any number of natural disasters. In addition to a windowless, cement building with steel fortifications, the provider should have multiple power sources and redundant incoming lines provisioned in an N+1 configuration for continuous power. For example, our main data center s backup generators can power a city of 25,000 people - which allows us to go off grid for 28 days without water, electricity, sewer, or natural gas feeds.

Microsoft Dynamics The Business Benefits of Hosted ERP Solutions for Small & Midsize Organizations Executive Summary Today s small and midsize organizations are increasingly looking for more flexible and

Microsoft Dynamics The Business Benefits of Hosted ERP Solutions for Small and Midsize Organizations November 15, 2009 Contents EXECUTIVE SUMMARY... 1 WHAT IS ERP HOSTING?... 2 BENEFITS OF A HOSTED ERP

Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

Take Your Vision to the Cloud Executive Summary Many Professional Service firms are moving their Deltek Vision solution to cloud with the aim of focusing limited IT resources on core business requirements

Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

Defining Data Security in 2015 and Beyond What you need to know about physical and virtual data security in a complex business environment Colocation Managed Cloud & Hosting Services Business Continuity

Dispelling the vapor around Cloud Security The final barrier to adopting cloud computing is security of their data and applications in the cloud. The last barrier to cloud adoption This White Paper examines

WHITE PAPER How to choose and implement your cloud strategy INTRODUCTION Cloud computing has the potential to tip strategic advantage away from large established enterprises toward SMBs or startup companies.

THE 5 BIGGEST MISTAKES LAWYERS MAKE WHEN CHOOSING A CLOUD SERVICE PROVIDER ( and how to fix them ) In recent years, an increasingly large number of law firms have moved their software and data to the cloud.

with Cloud-Based Security Services > White Paper It s a phenomenon and a fact: employees are always on today. They connect to the network whenever they want, from wherever they happen to be, with laptops,

Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

In-House Vs. Hosted Email Security 10 Reasons Why Your Email is More Secure in a Hosted Environment Introduction Software as a Service (SaaS) has quickly become the standard delivery model for critical

THE SECURITY OF HOSTED EXCHANGE FOR SMBs In the interest of security and cost-efficiency, many businesses are turning to hosted Microsoft Exchange for the scalability, ease of use and accessibility available

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider

HITS HR & PAYROLL CLOUD MODEL WHITEPAPER Deciphering Total Cost of Ownership Total Cost of Ownership, or TCO, is commonly defined as the estimate of all direct and indirect costs associated with an asset

Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware

GETTING THE MOST FROM THE CLOUD A White Paper presented by Why Move to the Cloud? CLOUD COMPUTING the latest evolution of IT services delivery is a scenario under which common business applications are

a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

Sync, send, and receive: Why cloud-based email and storage make sense for your business INTRODUCTION Two of the most valuable services currently available to small and mid-sized businesses (SMBs) are cloud-based

GiftWrap 4.0 Security FAQ The information presented here is current as of the date of this document, and may change from time-to-time, in order to reflect s ongoing efforts to maintain the highest levels

September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving

Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

White Paper Data Security The Top Threat Facing Enterprises Today CONTENTS Introduction Vulnerabilities of Mobile Devices Alarming State of Mobile Insecurity Security Best Practices What if a Device is

Dr. Paul Ashley IBM Software Group pashley@au1.ibm.com Cloud Security: The Grand Challenge Outline Cloud computing: the pros, the cons, the blind spots Security in the cloud - what are the risks now and

This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not

Cloud Contact Center Security White Paper Introduction Customers communicate with organizations in a variety of forms from phone conversations to email, web chat and social media. As each interaction may

Open an attachment and bring down your network? Many people think this will never happen to them, but virus attacks can come from unlikely sources and can strike when you least expect it. They can wreak

Deltek First - The Business Case Executive Summary Many organizations that do business with the government are adopting cloud-based versions of specialized business solutions with the aim of focusing limited

A THINKstrategies Primer for CIOs Making the Move to a Cloud-Based IT Service : Why the Time Is Right to Put Aside Your Fears & Capitalize on Today s Latest Innovations Published on Behalf of BMC Software

Presented by Luke Downing What is the Cloud? Market research 5 key benefits Considerations/Risks ABA rules Questions to asks Q&A Incorporated in 2002 Founded by Luke Downing & Matt Bakey Located in Norfolk,

I White Paper ERP and the Cloud: What You Need to Know Table of Contents Executive Summary... 3 Increased Interest in Cloud-Based ERP and SaaS Implementations... 3 What is Cloud/SaaS ERP?... 3 Why Interest

Cloud Contact Center Security White Paper Introduction Customers communicate with organizations in a variety of forms from phone conversations to email, web chat and social media. As each interaction may

A clearer view Security, compliance, and the cloud 2 A Clearer View ecurñ This document examines the current regulatory climate around the cloud and explains what to look for from a security standpoint

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director

Building a Business Case: Cloud-Based Security for Small and Medium-Size Businesses table of contents + Key Business Drivers... 3... 4... 6 A TechTarget White Paper brought to you by Investing in IT security

What is Really Needed to Secure the Internet of Things? By Alan Grau, Icon Labs alan.grau@iconlabs.com The Internet of Things (IoT) has become a ubiquitous term to describe the tens of billions of devices

Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

EXTENDING THREAT PROTECTION AND WHITEPAPER CLOUD-BASED SECURITY SERVICES PROTECT USERS IN ANY LOCATION ACROSS ANY NETWORK It s a phenomenon and a fact: employees are always on today. They connect to the

ADVANCE YOUR MISSION WITH THE CLOUD DO MORE WITH LESS CLOUD SOLUTIONS CDW NONPROFIT 2 CLOUD SOLUTION Cloud/hosted software spending by nonprofits and associations increased by 43% while technology hardware

Is Cloud Accounting Right for Your Business? An Educational Report One of the most exciting changes in the accounting industry is cloud accounting. The concept is easy to grasp: cloud accounting simply

Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

Want the best of Cloud Services and On-Premise IT for all your business needs and at a predictable monthly cost? Introducing O365Connect, a complete and scalable cloud managed server appliance that enables